ca-certificates
Utilities for system wide CA certificate installation
update-ca-certificates is intended to keep the certificate stores of
various components in sync with the system CA certificates.
The canonical source of CA certificates is what p11-kit knows about.
By default p11-kit looks into /usr/share/pki/trust/ resp
/etc/pki/trust/ but there could be other plugins that serve as
source for certificates as well.
Supported Certificate Stores
update-ca-certificate supports a number of legacy certificate stores
for applications that don't talk to p11-kit directly yet. It does so
by generating the certificate stores in /var/lib/ca-certificates and
having symlinks from the locations where applications expect those
files.
- /etc/ssl/certs: Hashed directory readable by openSSL. Only for
legacy applications. Only contains CA certificates for server-auth
purpose. Avoid using this in applications.
- /etc/ssl/ca-bundle.pem: Concatenated bundle of CA certificates
with server-auth purpose. Avoid using this in applications.
- java-cacerts: Key store fore Java. Only filled with CA
certificates with purpose server-auth.
- openssl: hashed directory with CA certificates of all purposes.
Your system openSSL knows how to read that, don't hardcode the
path! Call SSL_CTX_set_default_verify_paths() instead.
Differences to previous versions on openSUSE
-
Packages are expected to install their CA certificates in
/usr/share/pki/trust/anchors or /usr/share/pki/trust (no extra subdir) instead
of /usr/share/ca-certificates/ now. The anchors subdirectory is for
regular pem files, the directory one above for pem files in
openssl's 'trusted' format.
-
/etc/ca-certificates.conf is no longer supported. Just symlink the
certificates you don't want to /etc/pki/trust/blacklist.
Differences to Debian
- /etc/ca-certificates.conf is not supported.
- Hook scripts don't receive the list of changed certificates on
stdin. That allows scripts to have their own method to determine
changes.
- The command line arguments -v and -f are passed to hook scripts.
- All stores are created via hook scripts.